Professional Documents
Culture Documents
rt o
o n rvice
l c n t se
naeme
r na g
e
t a
Inrisk m
Learning goals
• Defining Internal Control & Understanding the Internal Control
Framework
• GAO’s Standards for Internal Control in the Federal Government
• OMB Uniform Grant Guidance—requirements for internal controls
• ED’s A123 Internal Control Review Process
• Internal Controls and YOU
• Implementing Strong Internal Controls in Your Agency
• Consequences of Not having Strong Internal Controls-Avoiding the
Pitfalls
• Case Study
• Case Study Discussion & Analysis
• Conclusion/Wrap Up
• Questions
Defining internal control
• Internal Control: a process effected by an entity’s oversight body,
management and/or other personnel that provides reasonable assurance
that the objectives of an entity will be achieved. These objectives and
related risks can be classified into one or more categories:
• 1. Operations: effectiveness and efficiency of operations and safeguarding
of assets necessary to carry out operations.
• 2. Reporting: reliable reporting for both internal and external use; this
includes financial and non-financial reporting.
• 3. Compliance: compliance with applicable laws and regulations.
• What is an Internal Control System: a continuous built in component
of operations, effected by people, that provides reasonable assurance,
not absolute assurance that an entity’s objectives will be achieved.
• How does all of this come together—the five components of Internal
Control, as established by the General Accountability Office (GAO).
GAO’s Standards for Internal Controls
• Recently revised: GAO revised their standards--aka the Green
Book--in 2014, which then became effective in 2016.
• Standards to guide agency’s operations: GAO established
these standards so that government agencies know what
internal control is (and isn’t), how it should work effectively
within agencies, how entities should use the Green Book and
identification of the five key components of internal control.
(The revised version highlights 17 principles within these 5
components.)
• Resource not just for federal entities: The Green Book may
also be used and adopted by state & local government
agencies, as well as non profits. Management can determine
how to appropriately apply the elements of within the Green
Book to their particular agencies’ needs.
Five Components of Internal Control
Control Environment
Control environment: this is the foundation of any internal control system.
5 principles
1. Management demonstrates commitment to integrity and ethical values.
2. Management/oversight body oversees the entity’s internal control system.
3. Management establishes an organizational structure, assigns
responsibilities and delegates authority to achieve the agency’s mission
and objectives.
4. Management demonstrates a commitment to recruit, train and retain
competent people.
5. Management evaluates performance and holds individuals accountable for
their internal control responsibilities.
• Training Programs
• Whistleblower Policies
• Code of Ethics
• Clear lines of responsibility and authority
• Grants/program administration
• Fiscal management and operations
Control Environment (cont.)
The Control Environment should be documented. Types
of documentation that can be used are:
• Process narratives
• Organizational Charts
• Flowcharts
• Questionnaires
• Memorandums
• Checklists
• Etc.
Risk assessment
Risk Assessment: identifying and assessing the potential risks facing
the agency, and developing the appropriate risk mitigation tools and
strategies to minimize risk occurrences.
4 Principles
1. Management defines agency objectives so that risks can be identified
and risk tolerance (or risk appetite) levels can be established.
2. Management identifies, analyzes and responds to risks related to the
agency achieving its mission and objectives.
3. Management considers the risk for potential fraud.
4. Management identifies, analyzes and responds to significant changes
that could impact the internal control system.
At all levels, management establishes the organizational priorities for
how it handles its risk assessment process.
Risk assessment (Cont.)
Risk Assessment Categories to help identify and assess risks:
Strategic Risk—political risk, talent and succession planning risk, risk
from dependence on other organizations
Financial Risk—risk of audit findings and other things that would
undermine reporting integrity
Compliance Risk—fraud, theft, embezzlement and/or noncompliance with
regulations and requirements
Operational Risk—risk that Programs may fail to meet their objectives,
mishandle federal grant funds, natural disasters, lack of accessible
technology, etc.
This helps to assess the risk, the risk likelihood and potential
impact.
Risk assessment (cont.)
Internal Risks External Risks
• Use of • Technological
qualitative/quantitative advances
methods • Impact of program
• Change in management changes
• Weak or unresponsive • Changing legislature
tone set by leadership • Decentralized
• Human capital—quality organization operations
and/or quantity of • Natural disasters
personnel
• Changing client or
• Rapid growth or reduction constituent needs or
• Change in processes expectations
Risk assessment (cont.)
Risk Strategies
Control activities
Control Activities: actions management establishes through policies
and procedures to achieve objectives and respond to risks in the
internal control system, which includes the agency’s information
system.
3 Principles
1. Management designs control activities to achieve objectives and
respond to risks.
2. Management designs the entity’s information system and related
control activities to respond to risks.
3. Management implements control activities through written policies.
Communication strategies have evolved in the era of social media. Agencies utilize
email, text messages, Twitter, Facebook, LinkedIn, apps, mail, phone, etc. to
communicate internally and externally.
monitoring
Monitoring: activities management establishes to assess the quality of
performance over time and to promptly resolve management reviews or
audit findings. This helps to determine if controls are working as they
should.
2 Principles
1. Management establishes and operates monitoring activities to assess
the internal control system and evaluate results.
2. Management remediates identified internal control deficiencies in a
timely manner.
Implement: don’t be
afraid to try new things,
experiment and
determine what works
Build capacity; best for your agency,
and continuously review
have the right
the processes
people at the table
implemented.
and invest in
training and
professional
development.
Avoiding the pitfalls
What happens when things go wrong and the internal
control system fails?
1. Audit findings
2. Financial misstatements
3. Business or government losses
4. Federal Intervention
5. Criminal Investigations
6. Loss of public trust
7. Fraud or collusion
8. Program sustainability compromised
9. Reputational harm
10.Loss of funds
conclusion